-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathauth.php
More file actions
47 lines (38 loc) · 1.21 KB
/
auth.php
File metadata and controls
47 lines (38 loc) · 1.21 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
<?php
session_start();
require_once "config/db.php";
function checkRateLimit($ip) {
if (isset($_SESSION["login_attempts"]["ip"])) {
if ($_SESSION["login_attempts"]["ip"]["count"] > 5 &&
time() - $_SESSION["login_attempts"][$ip]["time"] < 300) {
return false;
}
}
return true;
}
if ($_SERVER['REQUEST_METHOD'] === "POST") {
$ip = $_SERVER['REMOTE_ADDR'];
if (!checkRateLimit($ip)) {
die(json_encode(['success' => false, 'message' => 'Too many attempts']));
}
$email = filter_var($_POST["email"], FILTER_SANITIZE_EMAIL);
$password = $_POST["password"];
$stmt = $conn->prepare("SELECT id, passhash FROM users WHERE email = ?");
$stmt->bind_param("s", $email);
$stmt->execute();
$result = $stmt->get_result();
if ($user = $result->fetch_assoc()) {
if (password_verify($password, $user["passhash"])) {
$_SESSION["user_id"] = $user["id"];
$_SESSION["csrf_token"] = bin2hex(random_bytes(32));
echo json_encode(["success" => true]);
exit;
}
}
if (!isset($_SESSION['login_attempts'][$ip])) {
$_SESSION['login_attempts'][$ip] = ['count' => 0, 'time' => time()];
}
$_SESSION['login_attempts'][$ip]['count']++;
echo json_encode(["success" => false, "message" => "Invalid credentials"]);
}
?>